Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5840
Views
25
Helpful
6
Replies

ISE 3.1 with Azure AD

Go to solution
dm2020
Level 1
Level 1

‎05-31-2022 04:23 PM

Hi All,

 

Does anyone have any experience with ISE and Azure AD that can give me some pointers?

 

I am currently designing an ISE deployment for a customer that uses only Azure AD. They want to authenticate and authorise corporate Windows devices against Azure which I dont think will work as Azure AD does store computer accounts like AD. In addition the ISE 3.1 integration with Azure uses ROPC which currently only supports EAL-TTLS with PAP as the inner method which is insecure compared to EAL-TLS. EAP-TTLS uses Azure AD username/password so again no possibility of authenticating the computer itself

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/216182-configure-ise-3-0-rest-id-with-azure-act.html

 

What is required to support EAP-TLS computer authentication in this scenario? Will the customer need to enable Azure AD Active Directory Services to support traditional Windows domain join functionality in ISE?

 

As an alternative to integrating ISE with Azure AD all together, I think that it will be possible to use mutual EAP-TLS authentication between ISE and the computer without any type of lookup in AD which means no authorisation. 

 

How have other approached this?

 

Thanks all

 

1 person had this problem
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
ahollifield
VIP
VIP

‎05-31-2022 04:57 PM - edited ‎05-31-2022 04:59 PM

Azure AD != AD

Yes, for 3.1 the customer will need to deploy an on-premise AD environment that can then be linked to Azure AD.  

Your second statement is also correct, if you do not need to do any AD lookups, then you can always just perform EAP-TLS with no AD verification/lookup.

 

I would also suggest you/your customer attend the "What's new in ISE 3.2" webinars.  You may be pleasantly surprised with what is coming  

https://learningnetwork.cisco.com/s/cisco-ise-training-videos

View solution in original post

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to dm2020

‎05-31-2022 09:24 PM

Yes, it is possible. See some of the following related documents:

Cisco ISE Integration with Mobile Device Management (MDM) 

Integrate MDM and UEM Servers with Cisco ISE 

There is also an older session on "Mobile Device Management with ISE" available at https://cs.co/ise-webinars as a starting point.

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to mh123

‎08-20-2022 08:22 AM

What's New in ISE 3.2 - Part 1

14:42 Overview of Microsoft Azure Active Directory
15:15 802.1X with OAuth-ROPC to Azure AD in ISE 3.0
20:02 EAP-TLS & TEAP Authorization with Microsoft Azure Active Directory
21:52 Demo: EAP-TLS Certificate based Authorization with Azure Active Directory

View solution in original post

6 Replies 6

Go to solution
ahollifield
VIP
VIP

‎05-31-2022 04:57 PM - edited ‎05-31-2022 04:59 PM

Azure AD != AD

Yes, for 3.1 the customer will need to deploy an on-premise AD environment that can then be linked to Azure AD.  

Your second statement is also correct, if you do not need to do any AD lookups, then you can always just perform EAP-TLS with no AD verification/lookup.

 

I would also suggest you/your customer attend the "What's new in ISE 3.2" webinars.  You may be pleasantly surprised with what is coming  

https://learningnetwork.cisco.com/s/cisco-ise-training-videos

Go to solution
dm2020
Level 1
Level 1
In response to ahollifield

‎05-31-2022 06:39 PM

Hi @ahollifield 

 

Thats great, thanks for the quick response. 

 

Also instead of doing any type of AD lookups for the client, is it possible to check the status of the client in an MDM integration such as Intune (e.g. is the client enrolled and compliant?) I have not worked with ISE and MDM integration before so not sure if this is possible or not.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to dm2020

‎05-31-2022 09:24 PM

Yes, it is possible. See some of the following related documents:

Cisco ISE Integration with Mobile Device Management (MDM) 

Integrate MDM and UEM Servers with Cisco ISE 

There is also an older session on "Mobile Device Management with ISE" available at https://cs.co/ise-webinars as a starting point.

Go to solution
mh123
Level 1
Level 1

‎08-19-2022 01:41 AM

Hello,

i am in the same situation. On Prem ISE with an upcoming cloud only Azure AD.

Is there any update on your case?

Could you resolve the "problem"?

Greetings Michael

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to mh123

‎08-19-2022 08:04 AM

Did you watch the webinars?

Go to solution
thomas
Cisco Employee
Cisco Employee
In response to mh123

‎08-20-2022 08:22 AM

What's New in ISE 3.2 - Part 1

14:42 Overview of Microsoft Azure Active Directory
15:15 802.1X with OAuth-ROPC to Azure AD in ISE 3.0
20:02 EAP-TLS & TEAP Authorization with Microsoft Azure Active Directory
21:52 Demo: EAP-TLS Certificate based Authorization with Azure Active Directory

Customers Also Viewed These Support Documents